I'm so happy to share my first article in English, help community all over the world for me is fantastic!
Today in this article i share you a way to disable Defender for Endpoint with Live Response, without interaction on the endpoint, in this way Helpdesk or IT are autonomous to do this activity.
I made the following steps to made it possibile:
- Create Powershell Script to Disable Tamper Protection and Realtime Monitoring
- Create Powershell Script to Enable Tamper Protection and Realtime Monitoring
- Create Powershell Script to verify if operation is made correctly
To share you this i use my Tenant Microsoft 365 and one Endpoint that is onboarded on Microsoft Defender portal
 |
Fig 1: Endpoint Onboarded on Microsoft Defender Portal
|
And i use Microsoft 365 E5 license, to view all Microsoft License i report to you Aaron Dinnage websites that show detailed license of Microsoft 365
Home | M365 Maps
 |
Fig 2: License used for Demo
|
Ok let's go now i create the powershell script (is very fast and simply)
 |
Fig 3: Script to Disable Tamper Protection and Realtime Monitoring
|
And now the second script to Re-Enable protection
 |
Fig 4: Script to re-Enable Tamper Protection and Realtime Monitoring
|
Now I create the last script to check at monitor all MDE (Microsoft Defender for Endpoint) configuration
 |
Fig 5: Script to check at monitor if configuration is correctly applied
|
Save all of script on your client, like Download Folder (i made this)
 |
Fig 6: Script that i saved into Download Folder
|
Now I go to Microsoft Defeder Portal and open a Live Response session on one Endpoint (in my case SRVDOREMINIO)
 |
Fig 7: Select Endpoint for Stop Protection
|
 |
| Fig 8: Open Live response session on Endpoint |
 |
Fig 9: Upload script on library of Live Response
|
 |
Fig 10: Upload all script that you made in previous steps
|
Now we run "library" comand on live response to view all script that you upload on Library
 |
Fig 11: Script that are on Library
|
Ok perfect, now we need to Enable "Troubleshooting mode" in this way we are able to stop Tamper protection with script:
 |
Fig 12: enable Troubleshooting mode on endpoint
|
Wait up to 5 minutes and run Live Response Again
 |
Fig 14: Run Script to View parameters before disable
|
 |
| Fig 15: Tamper e Realtime Enable |
Now we Run Script to Disable protection
 |
Fig 16: Script to Disable Protection
|
 |
Fig 17: Protection Disable on Endpoint
|
Important: Troubleshooting mode still active for 4 hours after that Tamper protection still became ACTIVE
To Re-Enable Protection run EnableRealTime.ps1 on Live Response
 |
Fig 18: Protection Enable Again
|
ConclusionThis is a solution to Disable Endpoint protection for test or for example when is necessary stop MDE for software update, in this way is not necessary to connect on Endpoint and activity is clear to user Side.
Enjoy MDE 😀
Today in this article i share you a way to disable Defender for Endpoint with Live Response, without interaction on the endpoint, in this way Helpdesk or IT are autonomous to do this activity.
